[Samba] Samba malformed ACL
bradleydanecook at gmail.com
Wed Feb 27 10:42:53 GMT 2008
I've got a Samba PDC configured, with authenticating off an LDAP backend.
My client is trying to set permissions through Windows, and for some reason
no matter what I try the "everyone" group is always showing up as having
When an admin user tries to set permissions on the share through windows I
get the following errors in my /var/log/messages
Feb 27 11:28:16 northcity smbd: [2008/02/27 11:28:16, 0]
Feb 27 11:28:16 northcity smbd: create_canon_ace_lists: malformed
ACL in inheritable ACL ! Deny entry after Allow entry. Failing to set on
file STORE KPI/filename.txt.
I presume this is because he's try to deny the everyone group access after
it's being allowed at the top.
Below is my smb.conf
workgroup = NCW
server string = Linux server
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
encrypt passwords = yes
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins bcast hosts
time server = Yes
socket options = IPTOS_LOWDELAY TCP_NODELAY
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
logon path =
logon drive = Z:
logon home =
logon script = logon.bat
domain logons = Yes
os level = 65
domain master = yes
preferred master = Yes
local master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=northcity,dc=net
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=northcity,dc=net
utmp = Yes
admin users = @"Domain Admins"
map acl inherit = Yes
hide files = */desktop.ini/*
nt acl support = yes
utmp = yes
level2 oplocks = yes
oplocks = yes
[documents at ncw]
comment = Document share
path = /data
create mask = 0770
force user = root
writeable = yes
guest ok = yes
I've tried setting guest ok = no and this makes no difference.
If I do getfacl data/ I get the following.
# file: data
# owner: root
# group: root
Below is the output from ls -al on this dir.
drwxrwx---+ 8 root root 4096 Feb 26 17:13 data
I've tried removing perms, changing perms, changing users/groups using
setfacl and normal chown/chmod and nothing I do seems to get rid of the
"everyone" group access.
Below is more info about my samba version and filesystem info.
/dev/sda6 on / type reiserfs (rw,acl,user_xattr)
/dev/sdb1 on /data type ext3 (rw,acl,user_xattr)
I've tried the same permissions/acl's on both filesystem types without any
I'm running SLES9 Linux 2.6.5-7.257-smp #1 x86_64
Any help will be greatly appreciated.
More information about the samba